Friday Flash 01.27.17

FAR & Beyond Blog:

Make the Multiple Award Schedules Great…Again!

Over the years, the GSA Multiple Award Schedule (MAS) program has been the leading federal market facilitator, bringing together commercial firms (small, medium, and large) and customer agencies. The MAS Program has provided agencies with cost-effective, streamlined access to best value commercial services, products and solutions.  In turn, small, medium, and large businesses were provided streamlined, efficient, and effective opportunities to compete, win, and deliver best value mission support for customer agencies and the American people.

Over the last decade, the focus of the MAS Program appears to have been evolving from that of a competitive market facilitator to a platform for centralizing government processes. This evolution has manifested itself in policy initiatives and activities, such as strategic sourcing, category management, and transactional data reporting.  Despite good intentions, these initiatives have resulted in costly, time-consuming contracting and reporting requirements for both contractors and contracting officials. Interestingly, as OMB and GSA have moved towards centralization, the Department of Defense, as mandated by Congress, has taken steps to decentralize, ceding to the services increased procurement autonomy for their requirements.

The MAS program has been, and can be, a dynamic federal marketplace for commercial services, products and solutions, allowing the government to access state-of-the-art innovation as it becomes available. At its best, the MAS program allows customer agencies to focus on articulating and defining competition-specific requirements through streamlined task and delivery order competitions and Blanket Purchase Agreements (BPAs).  Streamlined processes provide agencies and contractors with the strategic opportunity to focus on requirements and competition, rather than administrative requirements.

There is elegance, efficiency, and power in simplicity, and, in this age of rapidly-evolving technology and program needs for short purchasing timeframes, simplicity is desperately needed to make the government more effective that it has been.  Indeed, it is high time we return simplicity and efficiency to the MAS program and allow the power of the commercial market to be leveraged by the government in service to the American people.

To this end, the Coalition sets forth the following recommendations to make the MAS program great again:

  • Resurrect, embrace and utilize the GSA Administrator’s broad statutory authority for the management and operation of the MAS program to innovate and streamline the program.
  • Establish a Multiple Award Chief Procurement Officer responsible for overall management and implementation of policies, procedures, and systems across the program.
  • Create a dynamic, real-time electronic marketplace, evolving existing GSA tools, like GSA Advantage, into a holistic, transparent, user-friendly platform that is easily interoperable with commercial contractor systems.
  • Focus on enhancing transparency and competition at the task and delivery order level, and eliminate burdens at the contract level. Negotiate salient terms and conditions up front in the process, and maximize order competition to allow the market to drive the most fair and reasonable price.  This approach carries with it the benefit of reducing the need for audit, which reduces compliance costs, and, where audits are conducted, permits them to be focused internally on purchasing decisions.
  • Enhance and embrace use of single-award BPAs for agencies seeking to leverage requirements and associated commitments for good deals.
  • Simplify the ordering procedures in FAR 8.4.
  • Eliminate duplicative SINs, which add cost and administrative burden to commercial contracting, across all schedules, and allow contractors to propose, manage, and market their services and products consistent with their commercial practices.
  • Effectively implement flexible Order Level Materials (e., “ODCS”) capability across all schedules to increase the value and utility of the system to user agencies.
  • Maintain continuous open seasons across all schedules, including reopening all SINs under Schedule 75, to assure the platform stays current with market offerings.
  • Terminate the Transactional Data Reporting initiative and eliminate the Price Reduction Clause. Both are non-commercial overlays on the commercial buying process and are obviated by reliance on competitive market forces. As constructed, they add costly purchasing delay and administrative activity, which impede access to market innovation and undermine competition.
  • Rescind the Commercial Supplier Agreement Deviation, which is inconsistent the mandate under current law to utilize commercial terms and conditions to the maximum extent practicable, and truly utilize commercial terms and conditions to the maximum extent practicable.
  • Vest Federal Acquisition Service (FAS) managers with the authority and backing to manage their programs.
  • Ensure the consistent application of procurement policy across the MAS centers and by contracting officers interfacing with MAS contractors.
  • Reestablish the GSA Expo to improve training of GSA customers and contractors on the use of GSA’s procurement programs.

It is critical for the government to access innovation if it is to meet the challenges that face this nation.  The most efficient means to do so is to eliminate its own barriers to leveraging appropriately the terms, conditions, services, and products of the commercial market.

Coalition members sincerely want to make the Multiple Award Schedules successful because, by doing so, they believe they will help the government maximize value and service to their fellow citizens.  We look forward to working with all stakeholders to create a dynamic 21st Century MAS program built on transparency, competition, and access to the commercial marketplace.


This Week’s Presidential Actions

The Trump Administration has taken several executive actions since the Inauguration. Summaries of some of the memoranda and executive orders that impact contractors are provided below.

Regulatory Freeze

On Friday, January 20, President Trump’s Chief of Staff, Reince Priebus, issued a memorandum for the heads and Executive departments and agencies. The memorandum freezes new Federal regulations, asks for agencies to withdraw pending regulations, and delays the implementation of regulations that have not taken effect for 60 days.

The regulatory freeze will remain in effect until the heads of departments and agencies can review and approve existing regulations.  Regulatory freezes at the beginning of new administrations are common. The Obama Administration issued a similar freeze in 2009 to review regulations from the Bush Administration.

Hiring Freeze

On Monday, January 23, President Trump issued a memorandum for the heads of Executive departments and agencies. The memorandum orders a freeze on the hiring of Federal civilian employees—“no vacant positions existing at noon on January 22, 2017, may be filled and no new positions may be created.” The memorandum does not apply to military personnel and heads of executive departments and agencies may exempt positions from the freeze if it is necessary to meet national security or public safety requirements.

The freeze is part of a larger effort to reduce the size of the Federal government. The memorandum directs the Director of the Office of Management and Budget (OMB) and the Director of the Office of Personnel Management (OPM) to create a long-term plan to reduce the size of the Federal Government through attrition within the next three months. The hiring freeze will expire once the plan is implemented.

The memorandum specifically prohibits using contractors to circumvent the intent of the hiring freeze.

Executive Order to Limit the Implementation of the Affordable Care Act

On Friday, January 20, President Trump signed an Executive Order which directs agencies to minimize the economic impact of the Affordable Care Act. The order directs agencies to “waive, defer, grant exemptions from, or delay the implementation of any provision or requirement of the [Affordable Care] Act that would impose a fiscal burden.”

The order states that the Trump Administration will seek to repeal the Affordable Care Act and that in the meantime agencies should encourage the development of a free market for healthcare.


GSA Training Symposium in Huntsville- Registration and Booth Sales Open!

The Coalition is reprinting the following GSA announcement about the upcoming training in Huntsville.  We look forward to seeing you there.

The GSA Federal Acquisition Training Symposium will take place April 25 – 26, 2017, at the Von Braun Center in Huntsville, Alabama. This event is specially designed to benefit federal government employees and military members who make or influence procurement decisions.

An invaluable experience for acquisition or program managers, the training and exhibition will provide you with many opportunities to meet with over 1,600 buyers. 

Space is limited to 200 booths so register early to secure your spot!

Please visit us at for more information and to register.


New Leadership for GSA’s IT Category

gsa keith

On Thursday, January 19, Mary Davie, Assistant Commissioner for the Information Technology Category (ITC), announced the hiring of two new leaders within the organization.

Keith Nakasone will be the new Deputy Assistant Commissioner for Acquisition, where he will oversee Schedule 70, the GWACs, USAccess, identity management programs, and telecommunications contracts—representing a total of $22 billion in annual spending. Nakasone previously served as the Senior Procurement Executive for the Federal Communications Commission.

Jose Arrieta will be the new director for Schedule 70, leading the largest government IT acquisition vehicle. Arrieta previously worked for the Department of the Treasury’s Office of Small & Disadvantaged Business Utilization.


Seeking Additional Feedback on MAS 75 RFI

On Tuesday, January 17, the Coalition submitted comments to the General Services Administration (GSA) regarding their recent Request for Information (RFI) which detailed a proposal for re-opening Schedule 75 for office supplies and services, which has been closed to new offers since October 2010.

Pursuant to the RFI, GSA is proposing to re-open Schedule 75 by creating a new Enhanced SIN 75 2XX and closing the Revised SIN 75 200 and SIN 75 85 to new offers. The new SIN would incorporate the following technical go/no-go requirements:

  • AbilityOne-certified Contractor;
  • Demonstrated ability to meet all environmental reporting and green product
  • requirements;
  • Demonstrated capability to provide real-time order status to GSA Advantage!;
  • Demonstrated system to remain compliant with the Trade Agreements Act;
  • Currently be able to provide point of sale discount for all contract orders;
  • Agency-defined reports at no additional cost;
  • Demonstrated ability to provide desktop delivery and secure desktop delivery;
  • Standard delivery anywhere CONUS within 3 to 4 business days;
  • Ability to deliver to Alaska, Hawaii, Puerto Rico, and other OCONUS locations;
  • Demonstrated ability to provide Fill or Kill status
  • Ability to report subcontracting quarterly, other than small business only;
  • Satisfactory past performance;
  • Submission of completed Subcontracting Plan, if applicable.

The Coalition may be submitting additional comments to GSA regarding specific concerns related to the new enhanced SIN 75 2XX requirements and welcomes member feedback. Please send any comments you may have to Andrew Sisti at


Small Business Committee Meeting, Jan. 31

On Tuesday, January 31st, the Small Business Committee will be hosting guest speaker Robin Bourne, Director, MAS Program Office, from 10:00 am to 12:00 pm. Mr. Bourne will provide members with an update on small business subcontracting plans and other topics.

Members who are interested in attending the meeting, please RSVP to Jason Baccus at to receive additional details regarding the meeting location. Registration is open to all members of the Coalition interested in small business.


IT/Services Committee Meeting on the Transition, Feb. 14

The Coalition’s IT/Services Committee will be meeting on Tuesday February 14th at 10:00 am. Crowell & Moring will be providing a briefing to the committee on what Federal contractors can expect during the Trump Administration, including potential regulation and policy initiatives.

If you would like to attend the meeting please RSVP to Jason Baccus; RSVPs are required for security purposes.


Airforce Cyber Priorities

Earlier this week, the Chief Information Security Officer (CISO) for the United States Air Force, Pete Kim, sat down with Federal Computer Week  (FCW) to discuss the Department’s list of cyber priorities for 2017. Significantly, Mr. Kim stated that the Air Force plans to implement many aspects of its comprehensive Air Force Cyber Campaign Plan, which was published last Fall. In addition, the Department is focusing their efforts on ensuring that greater attention and funding are directed towards addressing its legacy IT systems and mission threat analysis. This would include updating legacy platforms, hardening mission systems, building cybersecurity into new acquisitions, and making Air Force personnel more cyber secure.


Administration Freezes EPA Contracting

epa pic

On Tuesday, January 24, the Washington Post published an article, which reported that the Trump Administration has instructed officials at the Environmental Protection Agency (EPA) to freeze its grants and contracts. The EPA spent about $1.6 billion on contracts and $4 billion on grants in fiscal year 2016.

According to the article, the instructions were issued to the EPA shortly after the Inauguration on Friday, January 20. The Administration has not elaborated on the decision to specifically target the EPA for a contracting freeze.


CYBERCOM’s New Buying Power Now Closer to Reality

According to Federal News Radio, the U.S. Cyber Command (CYBERCOM) has Congressional authority to spend up to $75 million on cyber capabilities, equipment, and services. CYBERCOM, which is in the midst of creating its own acquisition office to handle its new spending authority, plans to focus its 2017 funds on research and development of “cyber-operation particular” goods and services.

Because CYBERCOM will have its own acquisition authority, it will be able to solicit offerors directly, and ensure they are meeting specific mission goals while also reducing the time and expense generated by having to act thorough a third party.

In addition, CYBERCOM is setting up a team of 10 officials to manage these funds. The command acquisition executive leading the team will be a Senior Executive Service employee, who will report directly to the CYBERCOM commander. The command acquisition executive will provide oversight for program management, contracting support, logistics support, legal advice and guidance. The command is aiming for a workforce made up of about 80 percent uniformed military and 20 percent civilian personnel.


GSA to Rebrand SIN 520-20 for Identity, Data Breach Protection

gsa pic

On January 19, the General Services Administration’s (GSA) Office of Professional Services and Human Capital Categories issued a Request for Information (RFI) seeking feedback on a proposal that would change the current focus of Special Item Number (SIN) 520-20 to one that emphasizes identity and data breach detection. Previously, the SIN had centered on Comprehensive Protection Solutions. Pursuant to this change, industry would be required to have the ability to provide an integrated solution of total services, which would include identity monitoring, identity theft insurance, safeguarding and restoration services, breach mitigation, and forensic services. The current 520-20 SIN provides customized products for credit monitoring services, risk assessment and mitigation services, independent risk analysis, and data breach analysis.

GSA is looking for industry comment on the impact of rebranding 520-20 and modifying the language of SIN 520-16, which provides Business Information Services and 520-17, which provides Risk Mitigation Services.

Comments on the RFI are due by Feb 21, 2017.  Interested members are asked to submit feedback to Aubrey Woolley at


Legal Corner

The New Proposed DHS Rule on Safeguarding Of Controlled Unclassified Information – A Critical Analysis

Robert Metzger, Shareholder, Rogers Joseph O’Donnell

On January 19, 2017, DHS published a proposed rule to address requirements for the safeguarding of Controlled Unclassified Information (CUI). Homeland Security Acquisition Regulation (HSAR); Safeguarding of Controlled Unclassified Information (HSAR Case 2015–001). 82 Fed. Reg. 6429. Comments are due by March 20, 2017.

Unfortunately, the rule attempts to do too much but achieves too little. I expect the rulemaking to be contentious. While a few companies may see the rule as advantageous to their opportunities to dominate DHS business, many more will object.

Twelve Categories of DHS CUI

Without doubt, DHS does produce and provide to contractors sensitive information which must be protected as to confidentiality, availability and integrity. The proposed rule identifies twelve types of DHS CUI.

  • Eight of these are in the National Archives and Records Administration (NARA) CUI Registry: Chem-terrorism Vulnerability Information (CVI), Protected Critical Infrastructure Information (PCII), Sensitive Security Information, International Agreement Information, Physical Security Information, Privacy Information, Sensitive Personally Identifiable Information (SPII) and Information System Vulnerability Information (ISVI).
  • The rule adds four new categories/subcategories of CUI that are not in the NARA CUI Registry: Homeland Security Agreement Information, Homeland Security Enforcement Information, Operations Security Information, and Personnel Security Information

On its face, the addition of four categories of CUI, at the initiative of one agency, seems contrary to the CUI Final Rule, 81 Fed. Reg. 63325, 63326 (Sep. 14, 2016). In that Rule, NARA stated that “the CUI Registry lists categories and subcategories of CUI that laws, regulations, and Government-wide policies create or govern”. The Final CUI Rule states:

“Agencies may use only those categories or subcategories approved by the CUI EA [Executive Agent – NARA] and published in the CUI Registry to designate information as CUI.”

32 CFR 2002.12(b). Moreover, the Final CUI rule explicitly “overrides agency-specific or ad hoc requirements when the conflict.” 32 CFR 2002.1(i).

Two Categories of Contractor Access to DHS CUI

The rule requires safeguarding of CUI for two very different categories of contractor activity. The first is where DHS CUI is on a contractor information system that the contractor operates on behalf of DHS. The second is where a contractor may have access to DHS CUI on the contractor’s information system.

  • Contractors Who Use DHS CUI to Operate a Federal Information System for DHS. In the first category, as the proposed rule recognizes, the contractor is operating a “federal information system” (here “FIS”) by or on behalf of an agency. The proposed rule applies the full range of federal obligations to contractors who operate a FIS – and then some. Proposed Homeland Security Acquisition Regulation (HSAR) 3052.204-7X (c). A contractor in this category “shall not collect, possess, store or transmit CUI” without an Authority to Operate (ATO) that has been accepted by DHS. An extensive and rigorous process is described, including a Security Authorization process, requirements to develop a Security Authorization Package, independent assessment, periodic ATO renewal, mandatory consent to random periodic security reviews, compliance with federal reporting, obligatory continuous monitoring, incident reporting and response – and more (as further described below).
  • Other Contractors Who Have Access to DHS CUI. The second category applies, if you will, to “the rest of us,” namely, any other contractor or subcontractor to whom DHS allows access to DHS CUI. These contractors and subcontractors – who are not operating a FIS – “must provide adequate security to protect CUI from unauthorized access and disclosure.” Proposed HSAR 3052.204-7X (b).

(For the first category (contractors operating a FIS for DHS), my concern is that the rule is too burdensome, highly intrusive, restrictive of competition, and not cost effective.  I do not focus on these concerns in this post, however.)

The treatment of contractors in the second category is frankly baffling. An obligation to safeguard is to be imposed on any DHS contractor who has access to any of the 12 forms of DHS CUI. But, the proposed rule does not address what “safeguards” are to be applied. Nor does it discuss who has the responsibility to identify or designate DHS CUI, whether any safeguarding obligations also apply to other categories or subcategories of CUI as listed in the Federal Registry, what relationship must exist between the presence of information that could be CUI and a contractual obligation to DHS, or how the agency will respond, advise or adjudicate any questions as to application, administration, implementation or enforcement of the safeguarding obligation.

There is no room for doubt that DHS intends to obligate that any contractor (or subcontractor) who has DHS CUI is obligated to safeguard CUI, even when it is on a contractor information system that is not a FIS:

DHS requires that CUI be safeguarded wherever such information resides. This includes government-owned and operated information systems, government-owned and contractor operated information systems, contractor-owned and/or operated information systems operating on behalf of the agency, and any situation where contractor and/or subcontractor employees may have access to CUI. There are several Department policies and procedures (accessible at which also address the safeguarding of CUI. Compliance with these policies and procedures, as amended, is required.”

Proposed HSAR Section 3004.470-3(a) (Policy) (emphasis added).

No Use of NIST SP 800-171

Other agencies, seeking to protect forms of CUI, rely upon NIST SP 800-171 (Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations). In the proposed HSAR, however, SP 800-171 is all but ignored.

The NARA CUI Final Rule was clear that SP 800-171 establishes the safeguards contractors are to use when they host, transmit or use CUI:

“The NIST SP 800–171, incorporated by reference in this final rule, establishes guidance for protecting CUI in non-Federal systems: (1) When the CUI is resident in non-Federal information systems and organizations; (2) when the information systems where the CUI resides are not used or operated by contractors of Federal agencies or other organizations on behalf of those agencies; and (3) when the authorizing law, Federal regulation, or Governmentwide policy listed in the CUI Registry for the CUI category or subcategory does not prescribe specific safeguarding requirements for protecting the CUI’s confidentiality.”

81 Fed. Reg. 63325.

The Department of Defense, in the “Network Penetration” DFARS, obligates all DoD suppliers who possess “Covered Defense Information” (CDI). As now defined CDI includes both “Controlled Technical Information” (i.e., information of military or space significance) and any other form of CUI. The DFARS require all DoD suppliers, at all tiers, to use the safeguards of SP 800-171 to protect CDI if marked or otherwise identified by DoD or used by the contractor in support of the performance of the DoD contract. DFARS 252.204-7012 (“Safeguarding Covered Defense Information and Cyber Incident Reporting”), at 204-7012(a), 204-7012(b)(2).

SP 800-171 describes 110 controls in 14 families of security requirements. The families and controls in SP 800-171 align to corresponding principles in FISMA, which applies to federal agencies and federal information systems. SP 800-171 articulates safeguards as objectives but deliberately does not require contractors to follow the specific controls and enhancements elaborated in the Special Publication, SP 800-53, that NIST developed for federal information systems that are subject to FISMA information security requirements.

The only mention to SP 800-171 in the proposed HSAR to safeguard CUI is in a footnote in the preamble to the rule. 82 Fed. Reg. 6431, n.5. Although DHS allows that it is “aware” of SP 800-171, and that it was released to provide federal agencies with recommended requirements for CUI, DHS insists that “the information system security requirements in this proposed rulemaking are focused on Federal information systems, which include contractor information systems operating on behalf of an agency”, and such systems “are not subject” to SP 800-171.

While the drafters may have “focused” on DHS contractors who operate a FIS, the Proposed HSAR is not limited just to them. For illustration, the following statement is contained in the required analysis under the Regulatory Flexibility Act:

This rule will apply to DHS contractors that require access to CUI, collect or maintain CUI on behalf of the Government, or operate Federal information systems, which includes contractor information systems operating on behalf of the agency, that collect, process, store or transmit CUI.”

82 Fed. Reg. 6439 (emphasis added). Another statement is that “adequate security” requirements apply “when contractor and/or subcontractor employees will have access to sensitive CUI.” Id. In the same analysis, DHS refers to its award, for FY 2014, of nearly 14,000 new contract awards to large and small business. By no means were all of these contracts for operation of a FIS. DHS says that “a number of factors determine applicability of the proposed clause”. Id. The proposed “Safeguarding” clause says that “[c[ontractors and subcontractors must provide adequate security to protect CUI from unauthorized access and disclosure.” Proposed HSAR 3052.204-7X(b)(1). This obligation is not confined only to the FIS contractor category. The “adequate security” obligation appears to apply to every DHS contractor (and every subcontractor, at any level) who is allowed access to DHS CUI.

The neglect of SP 800-171, despite recognition of its intended purpose, is a gaping hole. If this proposed HSAR were to take effect as presently drafted, it would leave thousands of contractors and subcontractors completely “in the dark” as to what safeguards would satisfy their obligations to DHS. The proposed rule says that the Government will provide a “Requirements Traceability to Matrix (RTM) (sic) so that “contractors will know at the solicitation level the security requirements for which they must comply.” 82 Fed. Reg. 6437. But the RTM is directly linked to the requirements for a contractor’s security authorization package – itself an obligation imposed only on those “first category” contractors who operate a FIS for DHS. Reference to a future, “to be determined” set of security requirements does not provide much for contractors to work with for planning purposes. The RTM concept also suggests that there could be many variations of requirements and that means companies won’t know what will apply, to the system on which they host the CUI, until they see the solicitation, which might be too late.

The proposed HSAR takes an approach to protection of DHS CUI that is both incomplete and inconsistent with that of federal agencies.  This seems at odds with a fundamental purpose of the Final CUI Rule, expressed by the statement that “[a]gencies therefore may not implement safeguarding or dissemination controls for any unclassified information other than those controls consistent with the CUI Program.” 32 CFR 2002.1(c). Nor does it answer the obvious question of why not to use SP 800-171 when it was developed specifically for contractor information systems and for the purpose of protecting CUI.

Other Concerns

  • For the category of contractors who operate a FIS for DHS, the proposed HSAR does state that they “must meet prior to collecting, processing or storing, or transmitting CUI, the security requirements of SP 800-53. 82 Fed. Reg. 6431. That is an unworkable approach for non-federal entities that may host, transmit or use CUI on their contractor information system. And it is contrary to the supposedly government-wide decision reflected in the Final CUI rule, namely that when “non-executive branch entities” are not using or operating a FIS, the agency “must prescribe the requirements of NIST SP 800-171 in agreements to protect CUI, unless the agreement established higher security requirements.” 81 Fed. Reg. 63330.
  • The language cited immediately above contains a phrase – “must meet prior to collecting …” – that likely will be very controversial. As to the first category (FIS contractors), the proposed rule contains extensive “end-to-end” demands. These will be expensive to implement and considerable time will be required to prepare for and then engage the required process before receipt of the ATO. A fair reading of the “prior to” phrasing is that some companies may not be able to bid on or receive award of a DHS FIS-type contract until they’ve been through the entire ATO process and can demonstrate ability to meet all HSAR requirements. Companies that think they should be eligible to compete for DHS will think the “front-loaded” requirements exclude them.
  • Fundamentally, this proposed rule may follow from a mindset that DHS has key information to protect and is prepared to do business only with contractors who will invest and secure their on-premises information systems and monitor as DHS specially requires. That will narrow DHS’ access to sources. It likely will add to acquisition costs. Surprisingly, the proposed HSAR does not so much as recognize much less accommodate the use of cloud services by its contractors in either category of access to DHS CUI. (The only reference to cloud is that DHS received input from FedRAMP for the costs of independent assessment of security methods. 82 Fed. Reg. 6434.)
  • The rule also describes itself as having “requirements …expanded to include professional services contractors that have access to CUI”. 82 Fed. Reg. 6439. Because it does not clearly articulate how requirements would be applied to professional service providers, what safeguards they would be obligated to provide, or how they would be assessed by DHS, I consider it likely that the professional services community will object.
  • Small businesses also should be concerned. DHS acknowledges that this is a “significant” regulatory action and that it will have impact on small business. 82 Fed. Reg. 6443, 6439. DHS seems resigned to high costs of consultants and systems. DHS “invites comments from small business concerns … on the expected impact of this rule on small entities,” but there is nothing specific to assure the small business community that it will be able to comply.
  • In addition to expected requirements that DHS contractors report compromise incidents, the proposed rule includes PII and SPII notification requirements to individuals whose PII and/or SPII was under a contractor’s control at the time of the incident, and obligates mandatory credit-monitoring for a period of not less than eighteen (18) months. Proposed HSAR 3052.204-7X (f), (g). Including these as “embedded” obligations, in the absence of either the incident or the injury, prompts the questions of “why” and “who is going to pay for it”? It would be different to require a DHS (FIS) contractor to demonstrate that they have these capabilities in place, but not to include the execution of these capabilities in a contract clause that sets minimum security requirements.



The timing of the proposed regulation, released just one day before the transition of power to the new President, suggests that DHS may have hurried to start the rulemaking process. If the intent was to accelerate achievement of a final, binding rule, I doubt this will succeed. My perspective is that there are flaws in the proposed draft that will draw critical scrutiny from many potentially affected stakeholders – inside as well as outside of the Government. DHS might de-couple the regulations focused on its contractors who receive DHS CUI to operate information systems on the agency’s behalf and complete those separately from regulations that generally impose safeguards on any contractor that is afforded access to DHS CUI. As to the latter category, DHS should seek to more closely align its approach to that DoD is working to achieve and which NARA anticipates.

Author’s note – this version (dated Jan. 23, 2017) contains several corrections and additional analysis to the version originally published).


Court Addresses “Substantial Transformation” Standard for Country of Origin Under the Trade Agreements Act

Tom Barletta, Partner, Steptoe & Johnson LLP

Paul Hurst, Partner, Steptoe & Johnson LLP

Greg McCue, of Counsel, Steptoe & Johnson LLP[1]

The US Court of International Trade (CIT) recently addressed what constitutes “substantial transformation” for purposes of determining country of origin (COO) for US government procurement purposes under the Trade Agreements Act of 1979 (TAA). Energizer Battery, Inc. v. United States, 2016 WL 7118538 (Ct. Intl. Trade 2016). The case is one of first impression for the CIT, which has jurisdiction to review final determinations of US Customs and Border Protection (CBP).2  The opinion provides additional guidance on the interpretation and application of the TAA for government procurement purposes.

The CIT case involved a second generation (Generation II) military flashlight produced by Energizer. The case came before the CIT on a challenge by Energizer to a CBP ruling that the country of origin of the Generation II flashlight was China, which would make the flashlight ineligible for government procurement under the TAA. The issue with respect to the Generation II flashlight focused primarily on whether assembly in the US of components, “virtually all of which” according to the CBP, were of Chinese origin, constituted substantial transformation. The Court, after conducting a de novo review of the record before it,3 also concluded China was the country of origin of the Generation II flashlight for government procurement purposes.

The CIT first observed judicial interpretations of substantial transformation for purposes of government procurement under the TAA have been few and far between, and therefore looked to decisions construing language identical to the TAA in cases arising in other customs areas such as marking. The court noted the test for substantial transformation is fact specific and looks at whether the article underwent a process “such that ‘a new and different article [has] emerge[d], having a distinctive name, character, or use.’” (Citation omitted). It also observed that “[c]ourts have primarily focused on changes in use or character” in assessing whether there has been substantial transformation, and a change in name is the “least compelling of the factors.”

The CIT also observed that in assessing whether there has been a change in “character,” some courts have looked to the “essence” of the completed article “to determine whether an imported article has undergone a change in character as a result of post-importation processing.” It also noted that “when the post-importation processing consists of assembly, courts have been reluctant to find a change in character, particularly when the imported articles do not undergo a physical change.” With respect to change in use, it stated courts have “found that such a change occurred when the end-use of the imported product was no longer interchangeable with the end-use of the product after post–importation processing,” but that “when the end-use was predetermined at the time of importation, courts have generally not found a change in use.” Finally, it pointed out that courts have considered various “subsidiary or additional factors, such as the extent and nature of operations performed, value added during post-importation processing, a change from producer to consumer goods, or a shift in tariff provisions.” However, it also observed there is no uniform or exhaustive list of those factors and consideration of them “is not consistent,” noting that some courts have distinguished “minor manufacturing,” or simple assembly, from more complex processes.

With respect to the Generation II flashlight, the CIT found the assembly operations in the US did not result in substantial transformation, primarily because the post-importation assembly operations “[did] not result in a change in the shape or material composition of any imported component . . . [such that] there is no change in character as a result of Energizer’s assembly operations.” The CIT also held that the imported components did not undergo a change in name or use when they were assembled in the US. With respect to the latter, the court rejected Energizer’s argument that its assembly process was transformative because “none of the . . . components could function as a flashlight at the time of importation and all of them became integral parts of a new commercial product.” Significantly, the court noted that where, as with the Generation II flashlights, components “are imported in a pre-fabricated form with a predetermined use, the assembly of those articles into a final product, without more, may not rise to the level of substantial transformation.” The court also found the post-importation processing was “not sufficiently complex as to constitute substantial transformation.”

Finally, the CIT also rejected Energizer’s reliance on the US share of production costs (there, 45%) as supporting its position that the US operations resulted in substantial transformation. It noted this was a “subsidiary factor” and suggested that those costs were attributable of approximately seven minutes of labor.

The CIT’s decision points to three important considerations in assessing country of origin under the TAA for government procurement purposes.

First, the court confirmed the analysis of “substantial transformation” in judicial (and CBP), decisions in other contexts (such as determinations of the country of imported goods for marking purposes), are relevant to the analysis of COO for government procurement purposes. Indeed, the CBP often looks to its prior decisions involving country of origin for marking purposes when assessing substantial transformation of similar products for government procurement purposes under the TAA.

Second, the CIT’s analysis makes clear that certain assembly operations may not be “enough” to establish substantial transformation. For example, an assembly operation involving relatively simple operations or, as with the Generation II flashlight, input parts (or subassemblies), already shaped and committed for use only in the finished product, may not be sufficient to establish substantial transformation. Accordingly, companies should assess assembly operations with an objective and critical eye in assessing whether such operations are sufficiently complex to change the “character” of the input items. Again, past CBP rulings and judicial decisions that analyze assembly operations similar to those under consideration can be important in the analysis of whether a particular process is likely to constitute substantial transformation for government procurement purposes. This analysis could include examination of the actual, physical steps in the relevant assembly operation, including their complexity and required level of expertise.

Finally, the CIT explicitly embraced the traditional “name, character and use” test for substantial transformation. Unlike other country of origin regimes, for example, the Buy American Act, this test does not expressly include a percentage of local value added or content standard to establish COO for US government procurement purposes. As noted above, the CIT in Energizer Battery described the value added during post-importation processing as a “subsidiary factor” in its analysis. Thus, the percentage of costs associated with US-based activity in the total cost of an item while relevant, may not be dispositive.


1 Tom Barletta and Paul Hurst are partners in the Government Contracts practice in the Washington office of Steptoe & Johnson LLP, and Greg McCue is of counsel and leads the US Customs practice in Steptoe’s Washington office.  © Steptoe & Johnson LLP.

2 The US Secretary of the Treasury has the authority to make country of origin determinations for government procurement purposes under § 305(b)(1) of the TAA and that authority has been delegated to CBP.  A contractor or supplier having to make a country of origin representation for government procurement purposes can seek either an “advisory ruling” or a “final determination” from CPB as to specific products or representative class(es) of products.

3 See 19 USC § 1581(e): “The Court of International Trade shall have exclusive jurisdiction of any civil action commenced to review any final determination of the US Secretary of the Treasury under section 305(b)(1) of the Trade Agreements Act of 1979.” See also 28 USC § 2640(a)(3): “(a) The Court of International Trade shall make its determinations upon the basis of the record made before the court in the following categories of civil actions: … (3)   Civil actions commenced to review a final determination made under section 305(b)(1) of the Trade Agreements Act of 1979.”


Proposed Rule on Set-Asides Under Multiple Award Contracts

Recently, the FAR Council published a proposed rule titled, Set-Asides Under Multiple-Award Contracts, which provides additional guidance on the use of partial set-asides, reserves, and set-asides of orders under multiple-award contracts.  It also clarifies requirements related to the limitations on subcontracting and the nonmanufacturer rule.

Proposed changes include:

  • Partial Set-Asides. When market research indicates that a total set-aside is not feasible under a multiple-award contract, partial set-asides should be considered. Further, small businesses will no longer be required to submit an offer on the non-set-aside portion of a solicitation in order to be considered for the set-aside portion of the solicitation.
  • Orders under Multiple-award contracts. Provides new methodologies for setting aside orders under multiple-award contracts so that contracting officers (COs) have the flexibility to employ the ordering technique that is best suited to the surrounding acquisition environment. For example, COs may establish terms and conditions providing that all task orders are set aside for small businesses awarded under the set-aside portion of the contract.
  • Assignment of NAICS codes and size standards. Guidance is provided for the assignment of NAICS codes for multiple-award contracts. Contracting officers will have the ability to 1) assign one NAICS code to an entire solicitation, or 2) if a solicitation can be divided into categories, assign a NAICS code and its corresponding size standard to each portion or category.
  • Application of limitations on subcontracting and the nonmanufacturer rule. Moves the nonmanufacturer rule coverage and subcontracting limitations together under FAR Part 19. Clarifies that 1) performance of work requirements do not apply in the case of full and open competition, and 2) compliance with limitations on contracting can be determined based on the minimum percentage of work performed at the aggregate contract or order level.

Comments on the proposed rule are due by February 6, 2017.  The Coalition is currently considering submitting comments on the proposed rule and welcomes member feedback. If you would like us to submit a response, please contact Jason Baccus at


Proposed Rule on Government Industry Communications – Deadline Extended

On November 29, the FAR Council published a proposed rule that would amend the Federal Acquisition Regulation (FAR) to clarify policies related to agency acquisition personnel’s interactions with industry. Specifically, the proposed rule would make clear that acquisition personnel are permitted, and in fact encouraged, to engage in exchanges with industry, so long that the exchanges are consistent with law and regulation.  The deadline for comments on the proposed rule has been extended to March 2, 2017.  Interested members are asked to submit feedback to Sean Nulty at